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1 DETAILED ACTION 

2 

3 This action is in response to the communication filed on 5/15/2006. 

4 All objections and rejections not set forth below have been withdrawn. 

5 Claims 1 , 4-1 2, 1 6-21 , and 24-28 are pending. 
6 

7 

8 Claim Rejections -35 USC §102 

9 

10 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 

1 1 form the basis for the rejections under this section made in this Office action: 

12 A person shall be entitled to a patent unless - 

1 3 (b) the invention was patented or described in a printed publication in this or a foreign country or in public 

14 * use or on sale in this country, more than one year prior to the date of application for patent in the United 

15 States. 
16 

17 Claims 1, 4-12, 16-21, and 24-28 are rejected under 35 U.S.C. 102(b) as 

18 being anticipated by Scott et al. (Scott), "Abstracting Application-Level Web 

19 Security". 

20 

21 Regarding claim 1 , Scott discloses: 

22 receiving data input through a web page from a client device (fig. 1 , page 2, col. 

23 1 , par. 3-6); referencing a declarative module to determine a client input security screen 

24 to apply to the data input from the client device (page 3, col. 2, par. 2); 

25 wherein the declarative module comprises: 
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1 a global section that includes at least one client input security screen that applies 

2 to any type of client input value (fig. 2; page 6, col. 1 , par. 1 , 2, par. 2, lines 9-13). Scott 

3 discloses input security screens (i.e. a transformation screen) that are applied to all user 

4 input (parameters values); 

5 an individual values section that includes at least one client input security screen 

6 that applies to a particular type of client input value (fig. 2; page 4, col. 1 ). Herein, Scott 

7 discloses screens for screening particular types of client input values (i.e. cookies, urls, 

8 other parameters). Thus Scott discloses an individual values section. 

9 and applying multiple client input security screens to the data input from the client 



1 0 cfew'ce (page 3, col. 2, par. 2; fig. 2), including at least one client input security screen 

1 1 from the global section of the declarative module and at least one client input security 

12 screen from the individual values section of the declarative module, wherein the client 

1 3 input security screens are distinct from one another (page 3, col. 2, par. 1 , 2; fig. 2). 

14 Herein, Scott discloses separate screens. 
15 



16 Regarding claim 4, Scott discloses: 

1 7 wherein the particular type of client input value is one of the following types of 

1 8 client input values: query string; server variable; form value; cookie (fig. 2). 
19 

20 Regarding claim 5, Scott discloses: 

21 wherein the declarative module further comprises a web.config file (page 1 , col. 

22 2, par.3; page 3, col. 2, par. 1). 



Application/Control Number: 10/606,089 Page 4 

Art Unit: 2137 

1 

2 Regarding claim 6, Scott discloses: 

3 wherein the applying the client input security screen further comprises executing 
A a default action on invalid client input detected by the client input security screen (page 

5 3, col. 2, par. 1, lines 8-13, par. 2, lines 5-11; page 4, col. 2, par. 3,4). Scott discloses 

6 the application of several types of input screening to all input data (default screening) 

7 wherein actions are performed on the all the input data during the process of data input 

8 security screening. Additionally, Scott discloses default transformations that can be 

9 applied during the screening of invalid input data. 
10 

1 1 Regarding claim 7, Scott discloses: 

1 2 wherein the applying the client input security screen further comprises executing 

1 3 a specified action on invalid client input detected by the client input security screen, the 

14 specified action being specified in the client input security screen (page 4, col. 1 , par. 4- 

15 6). 
16 

17 Regarding claim 8, Scott discloses: 

1 8 wherein a client input security screen further comprises one or more values that 

1 9 may be entered as client input, the one or more values further comprising the only 

20 values that may be entered as client input (page 4, col. 1 , par. 4-6). Scott discloses a 

21 security screen that constrains client input to a set of values, such as any integer: 0 - int 

22 [length 4]. Thus, the security screen effectively comprises the values of 0 - int [length 
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1 4] to be imposed upon the client input as a restriction. Additionally, Scott discloses that 

2 the security screen comprises specific URL values (extracted from HTTP requests) that 

3 may be entered as client input (page 6, col. 2, par. 1 ). 
4 



5 Regarding claim 9, Scott discloses: 

6 • wherein a client input security screen further comprises one or more screened 

7 values that, when detected in the client input, cause an action to be taken on the client 

8 input (fig. 4; page 3, col. 2, par. 2; page 4, col. 2, par. 3). 
9 

10 Regarding claim 10, Scott discloses: 

1 1 wherein the action to be taken further comprises removing the one or more 



12 screened values detected in the client input (fig. 4; page 3, col. 2, par. 2; page 4, col. 2, 

13 par. 3, 4). Scott discloses the encoding of screened values (removal and replacement). 

14 Additionally, Scott discloses the removal of values from client input based upon the 

15 client input security screen (page 7, col. 2, par. 1.1 -1.2) 
16 

1 7 Regarding claim 1 1 , Scott discloses: 

1 8 wherein the action to be taken further comprises removing an entire string that 

1 9 contains the one or more screened values detected in the client input (page 6, col. 2, 

20 par. 3; fig. 5; page 9, col. 1, par. 2.2). 
21 
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1 Regarding claim 12, it is the system claim corresponding to the method claim 1 , 

2 and is rejected for, at least, the same reasons, and furthermore because Scott 

3 discloses: 

4 a web page server unit configured to provide one or more web pages to one or 

5 more client devices over a distributed network (fig. 1 ). 
6 

7 Regarding claim 16, Scott discloses: 

8 wherein a screening rule further comprises a client input variable that may be 

9 accepted as input from a client (fig. 5). Scott discloses various screening rules that 
1 0 accept client input variables. 

11 

12 Regarding claim 17, Scott discloses: 

1 3 wherein a screening rule further comprises one or more screened characters 

1 4 that, when detected in client input, are screened from the client input according to a 

1 5 screening rule (fig. 5 - see transformation). 
16 

17 Regarding claim 18, Scott discloses: 

1 8 wherein the screening rule further comprises a default screening action that is 

1 9 applied in the absence of a specified screening action (fig. 5 - see transformation). 

20 Scott discloses a single screening action that is to be performed, and thus, a default 

21 screening action. 
22 



Application/Control Number: 10/606,089 Page 7 



Art Unit: 2137 

1 Regarding claim 19, Scott discloses: 

2 wherein the screening rule further comprises a specified screening action that is 

3 applied to the screened client input (fig. 5 - see transformation). Scott discloses a 

4 single specific screening action that is to be performed. 
5 

6 Regarding claim 20, it is rejected, at least, for the same reasons as claim 5. 

7 

8 Regarding claim 21 , it is rejected, at least, for the same reasons as claim 1 , and 

9 furthermore because Scott discloses: 

1 0 serving a web page to a client over a distributed network; receiving client input 



1 1 via the web page (fig. 1 , page 2, col. 1 , par. 3-6); comparing the client input with multiple 

1 2 and distinct client input security screens stored in a security declarative module; 

1 3 wherein the security declarative module includes a global section configured to screen 

1 4 all types of client input values and an individual values section configured to screen 

1 5 particular types of client input values (see rejection of claim 1 ); if invalid client input is 

1 6 detected, performing a screening action on the invalid client input as indicated by the 

17 security declarative module (page 3, col. 2, par. 2; page 4, col. 2, par. 3; page 6, col. 1 , 

1 8 par. 1 , 2; fig. 5); and wherein the client input security screens included in the security 

19 declarative module can be applied to multiple web pages (page 4, col. 1 , par. 2). 

20 Furthermore, Scott discloses a computer system, and thus discloses media and 

21 instructions (fig. 1). 
22 
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1 Regarding claims 24 and 25, they are the media and instruction claims 

2 corresponding to the method and system claims of 5— 7, 18, and 19, and they are 

3 rejected for, at least, the same reasons. 
4 

5 Regarding claim 26, Scott discloses: 

6 wherein the screening action further comprises a default action that is not 

7 required to be specified in a client input security screen (page 6, col. 1 , par. 1 , 2). 
8 

9 Regarding claims 27 and 28, Scott discloses: 

1 0 wherein the multiple web pages are included in a web project and wherein the 



1 1 multiple web pages are included in a web-based application (Abstract; Introduction; fig. 

12 1; section 3.1; page 4, col. 1, par. 2; page 6, col. 1, par. 2, col. 2, par. 1). Scott 

1 3 discloses a security policy to be applied to a large web-application, the policy 

14 comprising rules for the web pages of a site. The web pages are associated with a web 

15 application, thus, they are included in a web project/application. 
16 

17 

1 8 Response to Arguments 

19 

20 Applicant's arguments filed 5/15/2006 have been fully considered but they are 

21 not persuasive. 
22 
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1 Applicant's argue primarily that Scott does not disclose the features of claim 1 , 

2 and similarly claims 12 and 21 (Remarks, pg. 12 et seq.). 
3 

4 In response, the examiner takes note the applicants have amended the 

5 independent claims to state that "the client input security screens are distinct from one 

6 another" [claim 1], "distinct client input security screens from the global section and the 

7 individual values section" [claim 12], and "multiple and distinct client input security 

8 screens" [claim 21]. 

9 As was noted in the telephonic interview of 4/4/06, the applicant's representative 

1 0 pointed out that the instant application makes the distinction of two screening sections, 

1 1 a global section (box 234, fig. 2) and an individual values section (box 236, fig. 2), 

12 whereas, the prior art does not. The examiner agreed that the prior of Scott did not 

13 appear, at the present time, to explicitly state the division of his policy file into a "global 

14 section" and "an individual values section", but that further consideration would be given 

15 to the matter upon the submission of an amendment. 

16 It is respectfully noted, however, that the submitted amendment and related 

1 7 arguments for overcoming the prior art of record do not pertain to the distinction of a 

18 "global section" and an "individual screening section". Rather, they pertain to the 

19 distinction of screens. It is also noted that according to the applicant's supporting 

20 arguments (Remarks, pg. 1 1 ), the two sections are not distinct regarding to which 

21 screens they contain [each section is configured to screen all input types]. Furthermore, 
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1 it is noted that the distinction of "global" and "individual" is nominal [i.e. a global 

2 screening portion exists simply when there is only one policy or screening file]. 

3 The examiner finds the applicant's arguments regarding claim 1 to be 

4 unpersuasive. Scott does show distinct screens, including a distinct screens that are 

5 applied to all input values and distinct screens that are applied to individual client input 

6 values (see above rejection to claim 1 , as well as dependent claims). 
7 

8 



9 Conclusion 

10 

1 1 The prior art made of record and not relied upon is considered pertinent to 

12 applicant's disclosure. 

1 3 See Notice of References Cited. 
14 

15 THIS ACTION IS MADE FINAL Applicant is reminded of the extension of time 

16 policy as set forth in 37 CFR 1.136(a). 

17 A shortened statutory period for reply to this final action is set to expire THREE 

1 8 MONTHS from the mailing date of this action. In the event a first reply is filed within 

1 9 TWO MONTHS of the mailing date of this final action and the advisory action is not 

20 mailed until after the end of the THREE-MONTH shortened statutory period, then the 

21 shortened statutory period will expire on the date the advisory action is mailed, and any 

22 extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
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1 the advisory action. In no event, however, will the statutory period for reply expire later 

2 than SIX MONTHS from the mailing date of this final action. 
3 

4 Any inquiry concerning this communication or earlier communications from the 

5 examiner should be directed to Jeffery Williams whose telephone number is (571 ) 272- 

6 7965. The examiner can normally be reached on 8:30-5:00. 

7 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

8 supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 

9 number for the organization where this application or proceeding is assigned is 571 - 

10 273-8300. 

1 1 Information regarding the status of an application may be obtained from the 

12 Patent Application Information Retrieval (PAIR) system. Status information for 

13 published applications may be obtained from either Private PAIR or Public PAIR. 

14 Status information for unpublished applications is available through Private PAIR only. 

15 For more information about the PAIR system, see http-y/pair-direct.uspto.gov. Should 

16 you have questions on access to the Private PAIR system, contact the Electronic 

17 Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 

18 USPTO Customer Service Representative or access to the automated information 

1 9 system, call 800-786-91 99 (IN USA OR CANADA) or 571-272-1 000. 
20 

21 

22 J. Williams 

23 AU:2137 
24 




